Cloud Security is Not a 'Fashion Statement'

Singapore-based Aloysius Cheang, managing director of Asia Pacific at the Cloud Security Alliance, believes the term "cloud" is used loosely by most managed security services providers as they repackage and sell their products.

"It's time CISOs from APAC practise securing data on cloud and ask their service providers some imperative questions," he says.

Cheang says the APAC market is diverse and not as matured as the U.S. market - enterprises are often oblivious to simple computer malware, let alone data privacy issues in the cloud.

"Like the western world, APAC enterprises must embrace cloud to protect their critical infrastructure," he asserts.

Banishing fears about cloud, CISOs must accept it's driven by business needs and helps organizational growth through agility, scalability and support.

Security leaders should provide an actionable roadmap to managers wanting to adopt the cloud paradigm safely and securely and review security, stability, and privacy in a multi-tenant environment.

In this interview with Information Security Media Group, conducted during his recent visit to Bangalore, Cheang discusses cloud in the Indian context. He offers insights on:

Research in cloud security specific to APAC;

Unique cloud security challenges of the region;

How to prepare organizations to leverage cloud to combat threats

Cheang is a senior information technology (IT) executive with extensive experience in managing and delivering direct business values in complex multi-million dollar IT programs for Global 500 organizations. A globally recognised cybersecurity expert,
Cheang holds a B.Sc (Hons) and Masters in Computer Science. His professional certifications include CISA, CISSP and GCIH.

Research specific to APAC

GEETHA NANDIKOTKUR: What research focus does APAC demand to stay relevant to cloud security challenges?

ALOYSIUS CHEANG: Like the west, APAC enterprises must embrace cloud to protect critical infrastructure. They must realize cloud is driven by business - helping enterprises build agility, scalability and support to drive business growth. The research is about helping enterprises build their future controls and establish continuous monitoring of networks and applications. Extensive research is built around mobile security, the endpoint and entire supply chain against the backdrop of cloud. Mobile computing is experiencing tremendous growth and adoption in the region, and the devices are being used to access systems and cloud hosted data both via browser-based and native mobile applications.

I think cloud data governance is a key imperative for customers. It's critical to design a universal set of principles and map these to emerging technologies and techniques for ensuring privacy, confidentiality, availability, integrity and security of data across private and public clouds.

These will feed into the GRC stand and can be implemented as controls across the CAIQ, CCM and STAR, based on individual markets across HongKong, Singapore, Malaysia and India.

Unique Challenges

NANDIKOTKUR: What unique challenges do you see in this region? How do you address them?

CHEANG: The APAC market is diverse and not as matured as the U.S. market - enterprises are oblivious of even simple computer malware. It's hard to harmonize data privacy regulations to a set of data protection principles that can help cloud consuming organizations and cloud service providers meet new data privacy requirements more efficiently. Cloud is just a fashion statement - most MSSPs sell their products and repackaging as cloud; it's just outsourcing or shared service model. Organizations are reluctant to adapt to the changes of cloud security. CIOs and CISOs believe their job is endangered by deploying cloud. They've hired consultants spending hundreds of dollars to align IT with business and try to make a difference to the organization, rather than build team expertise on cloud security. The challenge has been providing security guidance for critical areas of focus in cloud to establish a stable secure baseline for cloud operations.

Dealing With Cyber Threats

NANDIKOTKUR: How do APAC enterprises leverage cloud and prepare to deal with growing cyber threats?

CHEANG: Enterprises must rule out confusion about legal issues facing cloud. We'll partner with local government agencies to educate customers on harmonizing local standards with international best practices, rather than encourage expensive certification. Each country must create security professionals to understand country-specific regulations and standards. Cross-section training is a must for deploying cloud controls, plus understanding laws governing privacy protection for citizens and cross-border export of data based on jurisdiction. CISOs must conduct imperative checks with their service providers:

Has proper due diligence to evaluate data been done to determine what moves to cloud? ;

Evaluate data privacy bill and its relevance to cloud;

Understand the local laws applying to cloud;

Understand who must be given access to data on cloud and who must regulate data;

Check if the service provider possesses all kinds of security services.

Approach to Indian market

NANDIKOTKUR: How will you influence the Indian market about cloud security and data privacy?

CHEANG: India's regulations are complex. Buying in the government to drive regulations frameworks on cloud is tough. We'd engage with a local partner to impart training on cloud security, academia to drive innovation, and private companies for seed funding for incubation. We'd offer cloud security certifications. We'd partner with government and private bodies to create job roles with expertise in cloud security. Training will be imparted across three spheres: level 1 with basic knowledge of security in cloud for the architectural and operational level, impart high level managerial training to address management concerns and also to the service providers. On top priority, India incubation centres and universities will create awareness and innovation.

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;